Over the past year the Definitive Logic team has been a part of several successful Power BI projects.  As with any project we like to take stock of our setbacks and successes, so that we can improve upon our next Power BI implementation.  One setback that we have seen a couple of times has to do with Secure Embed Link.

Secure Embed Link is an easy way to show Power BI Reports in other websites, including on-premise SharePoint, without the need for coding.  However, there are a few things that will impact whether that works in Internet Explorer, Edge, and Chrome.  More specifically it comes down to how the security settings for third-party cookies are handled in the browser.  If you are embedding a Power BI Report on your website or on-premise SharePoint site, a third-party cookie (from Microsoft) is required to handle the Sign-In (see Figure 1). More specifically secure embed relies on cookies for both https://login.microsoftonline.com and https://app.powerbi.com (different URL if your Power BI instance is on Azure Government).  If not implemented properly many staff will experience an infinite redirect loop where the Power BI report keeps asking them to sign-in.  This can be a vexing experience for staff and quickly leads to help tickets and slows Power BI adoption.

Figure 1 – Secure Embed Login Prompt

What we have seen is many of the staff who are setting up Power BI (licensing, capacities, etc.) are not the same staff responsible for managing Group Policy in the organization, so it is critical for these two entities to coordinate.   To make that coordination easier here are 3 tips for making sure your Group Policy managers can support Power BI Secure Embed:

1) For Internet Explorer/Edge please make sure login.microsoftonline.com and app.powerbi.com (different URL if your Power BI instance is on Azure Government) are listed as trusted sites, so that these two URLs are in the same security zone as the site that needs to embed the Power BI Report.

a. For many on-premise SharePoint sites group policy places those sites in the Intranet Security Zone while Power BI would be in the Internet Security Zone. If Power BI needs to be embed on a SharePoint on-premise site, you will need to consider moving those sites to the same security zone.

2) For Chrome settings managed by the organization, if you are blocking third-party cookies then add login.microsoftonline.com and app.powerbi.com to the “Allow” list.

3) Test, test, test. Not all group policies and organizations are the same.  Think about creating a beta testing group to try Power BI and Secure Embed for their sites to uncover any missed settings or different security considerations.

By following these tips, your organization can have smoother adoption of Power BI and empower staff to make use of Power BI on their own sites.

As a Microsoft Gold Partner, Definitive Logic is committed to making Power BI work for our customers.  If you’re interested in how Power BI can be leveraged in your organization, please contact us at info@definitivelogic.com